An Overhauled Opera Patches Security Risks, But not on Mac OS

Opera Mini browser has a fresh version for Windows and Linux computers, Opera 12.13 which fixes several bugs and security issues, but the version available from the Apple App Store doesn’t seem to notice the changes and remains two versions behind, exposing Mac OS users to threats.

Opera Software has released the latest version of the web browser to address several security loopholes associated with Opera 12.12, including vulnerabilities that could lead to an unexpected crash and sneaky execution of malware. However, the updates haven’t reached the Mac App Store as of now and users who are not keen on downloading the browser from the Opera website itself may find themselves susceptible to security flaws.

Mac OS still runs Opera 12.11, which is fraught with security and stability issues. Apple, which touts its App Store to be on the constant lookout for the latest updates, has yet to roll up its sleeves and send this protection to its outdated users.

Graham Cluley, a security expert at Sophos Labs, raised concerns that the users who completely depend upon the Mac App Store for the updates of their applications, web browser or otherwise, are “being let down badly.”

“The Mac App Store may be a convenient one-stop-shop for Mac users to get their software from, but it sure does a poor job at keeping that software up-to-date and ensuring that users are protected against the latest vulnerabilities,” he wrote in a blog post at Naked Security.

The general and user interface enhancements that Opera Software has brought to Opera 12.13 address internal communication errors on Facebook, webpages that don’t load on startup and in the absence of Internet connection, and images that don’t appear after back navigation.

Opera 12.13 for Linux and Windows also comes with a stand-alone update-checker, as part of a planned upgrade of the automatic update system. The update further enhances protection against hijacking of the default search, including a one-time reset.

Meanwhile, the fixes and stability improvements have upended major security issues, including arbitrary code execution on DOM events manipulation and SVG clipPaths. The new version of Opera fixes a low severity security issue, the details of which Opera Software has yet to release. Lastly, preflight request omission by CORS has also been fixed.

In an advisory, Opera Software urged web authors to use more reliable XSRF protection measures like sending a secret token in the form data for any HTTP requests (including XMLHttpRequest), which will initiate sensitive actions. The server-side code then validates the secret tokens before running the action.

Cluley advised Mac users to download the Opera browser directly from the developer’s website instead of from the Mac App Store.

“Some software, such as internet browsers, are simply far too risky to use if you can’t trust them to be the very latest version,” he said.